<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>HTTP Sessions</title>
</head>
<body bgcolor="#ffffff">
	<h1>HTTP Sessions</h1>
	<p>This tool keeps track of the existing HTTP Sessions on a
		particular Site and allows the Zaproxy user to force all requests to
		be on a particular session. Basically, it allows the user to easily
		switch between user sessions on a Site and to create a new Session
		without "destroying" the existing ones.</p>

	<p>
		It is based on the concept of Session Tokens, which are HTTP message
		parameters (for now only Cookies) which allow an HTTP server to
		connect a request message with any previous requests or data stored.
		In the case of Zaproxy, conceptually, session tokens have been
		classified into 2 categories: default session tokens and site session
		tokens. The default session tokens are the ones that the user can set
		in the <a href="../../ui/dialogs/options/httpsessions.html">Options
			screen</a> and are tokens that are, by default, automatically considered
		session tokens for any site (eg. phpsessid, jsessionid, etc). The site
		session tokens are a set of tokens for a particular site and are
		usually set up using the popup menus available in the <a
			href="../../ui/tabs/params.html">Params Tab</a>.
	</p>

	<p>
		This tool automatically detects, using the defined session tokens or
		the automatically detected default session tokens, any HTTP session
		which exists in the communication. The detected sessions are shown in
		the <a href="../../ui/tabs/httpsessions.html">HTTP Sessions Tab</a>.
	</p>

	<p>
		The user can, using the button available on the <a
			href="../../ui/tabs/httpsessions.html">HTTP Sessions Tab</a>, create
		a new session without destroying the existing one, or can force one of
		the sessions as 'active'. When a session is 'active', all the outbound
		requests sent to the corresponding Site are modified, the session
		tokens being set up to match the active session. In this way, the user
		can easily force some messages to be 'part of' a particular session
		and then switch and send messages on another session.
	</p>

	<p>
		The HTTP Sessions tool is configured using the <a
			href="../../ui/dialogs/options/httpsessions.html">HTTP Sessions
			Options screen</a>.
	</p>

	<h2>Accessed via</h2>
	<table>
		<tr>
			<td>&nbsp;&nbsp;&nbsp;&nbsp;</td>
			<td><a href="../../ui/tabs/httpsessions.html">HTTP Sessions
					tab</a></td>
			<td></td>
		</tr>
	</table>

	<h2>See also</h2>
	<table>
		<tr>
			<td>&nbsp;&nbsp;&nbsp;&nbsp;</td>
			<td><a href="../../ui/overview.html">UI Overview</a></td>
			<td>for an overview of the user interface</td>
		</tr>
		<tr>
			<td>&nbsp;&nbsp;&nbsp;&nbsp;</td>
			<td><a href="concepts.html">Features</a></td>
			<td>provided by ZAP</td>
		</tr>
		<tr>
			<td>&nbsp;&nbsp;&nbsp;&nbsp;</td>
			<td><a href="../../ui/dialogs/options/httpsessions.html">HTTP
					Sessions Options screen</a></td>
			<td>for an overview of the tool's Options</td>
		</tr>
		<tr>
			<td>&nbsp;&nbsp;&nbsp;&nbsp;</td>
			<td><a href="../../ui/tabs/params.html">Params Tab</a></td>
			<td>for an overview of Params Tab</td>
		</tr>

	</table>

</body>
</html>
